Can't Access extenal network from a VM

Asked by Itzik B. on 2012-12-25

I'm using openstack quantum with linux bridge plugin.
I'm trying to access external network (172.30.0.0/16) from a VM (192.168.101.4) but it seems that the packets are going out with the source IP of the internal network.

Here is the iptables of the network node (Running dhcp/l3/linux-bridge agents):

    # Generated by iptables-save v1.4.7 on Tue Dec 25 23:57:49 2012
    *nat :PREROUTING ACCEPT [2439:381349] :POSTROUTING ACCEPT [27:2655] :OUTPUT ACCEPT [32:3383] :quantum-l3-agent-OUTPUT - [0:0] :quantum-l3-agent-POSTROUTING - [0:0] :quantum-l3-agent-PREROUTING - [0:0] :quantum-l3-agent-float-snat - [0:0] :quantum-l3-agent-snat - [0:0] :quantum-postrouting-bottom - [0:0]
    -A PREROUTING -j quantum-l3-agent-PREROUTING
    -A POSTROUTING -j quantum-l3-agent-POSTROUTING
    -A POSTROUTING -j quantum-postrouting-bottom
    -A OUTPUT -j quantum-l3-agent-OUTPUT
    -A quantum-l3-agent-POSTROUTING ! -i qg-63ca34c1-fe ! -o qg-63ca34c1-fe -m conntrack ! --ctstate DNAT -j ACCEPT
    -A quantum-l3-agent-snat -j quantum-l3-agent-float-snat
    -A quantum-l3-agent-snat -s 192.168.101.0/24 -j SNAT --to-source 172.30.40.133
    -A quantum-postrouting-bottom -j quantum-l3-agent-snat
     COMMIT
    # Completed on Tue Dec 25 23:57:49 2012
    # Generated by iptables-save v1.4.7 on Tue Dec 25 23:57:49 2012
    *filter :INPUT ACCEPT [51588:23769810] :FORWARD ACCEPT [52059:23463546] :OUTPUT ACCEPT [1946:526042] :quantum-filter-top - [0:0] :quantum-l3-agent-FORWARD - [0:0] :quantum-l3-agent-INPUT - [0:0] :quantum-l3-agent-OUTPUT - [0:0] :quantum-l3-agent-local - [0:0]
    -A INPUT -j quantum-l3-agent-INPUT
    -A FORWARD -j quantum-filter-top
    -A FORWARD -j quantum-l3-agent-FORWARD
    -A OUTPUT -j quantum-filter-top
    -A OUTPUT -j quantum-l3-agent-OUTPUT
    -A quantum-filter-top -j quantum-l3-agent-local COMMIT
    # Completed on Tue Dec 25 23:57:49 2012

Is it correct that the packets are not going through SNAT rule ?
What am I missing?

Thanks,
Itzik

Question information

Language:
English Edit question
Status:
Solved
For:
neutron Edit question
Assignee:
No assignee Edit question
Solved by:
Itzik B.
Solved:
2012-12-26
Last query:
2012-12-26
Last reply:
2012-12-26
yong sheng gong (gongysh) said : #1

The rules seems good. you can try to add some rules to test if your iptables service works.
for example:
sudo iptables --delete INPUT --protocol icmp --jump DROP
to block ping locally.

Itzik B. (gandalf100) said : #2

Hi ,

Thanks for you answer.
I don't see a DROP rule.The thing is that when I run tcpdump on the host in the external network I see that that packets have the source IP of the internal network and not as it should be with the address of the external network(The network node external IP).

Thanks,
Itzik

yong sheng gong (gongysh) said : #3

Hi,
I mean you can check if your iptables service works by adding a new rule into it.

Itzik B. (gandalf100) said : #4

As noted by Etsuji Nakai in this guide(Thanks Gary):

http://d.hatena.ne.jp/enakai00/20121118/1353226066

One should do the following:

1. Check the following entries in /etc/sysctl.conf.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

2. Create /etc/sysconfig/modules/openstack-quantum-linuxbridge.modules as below.
#!/bin/sh

modprobe -b bridge >/dev/null 2>&1

exit 0

3. # chmod ugo+x /etc/sysconfig/modules/openstack-quantum-linuxbridge.modules

4.reboot